> ## Documentation Index
> Fetch the complete documentation index at: https://docs.airmdr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloudflare

> Cloudflare is used to enhance the performance, security, and reliability of websites and applications. It acts as a content delivery network (CDN), providing services like load balancing, DDoS protection, and caching to improve website speed and protect against cyber threats.

## Purpose

The **Cloudflare integration** enables AirMDR to authenticate with Cloudflare and access account- or zone-level configuration and security context required for alert enrichment, investigation, and workflow automation. Depending on the use case, AirMDR may use either a **legacy Global API Key** with the account email, or a scoped **API Token** with specific permissions. Cloudflare recommends using **API tokens whenever possible** because they are more secure and more narrowly scoped than Global API Keys.

## ✅ **Prerequisites**

Ensure you meet these prerequisites before starting:

* Access to a **Cloudflare account** with administrative privileges.
* At least one **domain (zone)** added to your Cloudflare account.
* Access to the required **account** and **zone.**
* Permission to create:
  * API Tokens, or
  * Access legacy Global API Key
* Secure storage for the generated credentials

<AccordionGroup>
  <Accordion title="Supported Versions">
    | Component            | Supported Version                   |
    | :------------------- | :---------------------------------- |
    | Cloudflare Dashboard | Supported                           |
    | Cloudflare API       | Current supported API               |
    | AirMDR Platform      | Current supported cloud deployments |
  </Accordion>
</AccordionGroup>

## Authentication

Cloudflare supports **two authentication methods** for AirMDR integration:

<AccordionGroup>
  <Accordion title="🔹 Option 1: API Token (Recommended)">
    * Uses a **scoped API Token**
    * Provides **least-privilege access**
    * Preferred by customers and recommended by Cloudflare
  </Accordion>

  <Accordion title="🔹 Option 2: Email + Global API Key (Legacy)">
    * Uses:
      * Cloudflare **account email**
      * **Global API Key**
      * **Account ID**
    * Provides **full account-level access**
    * Should only be used if API Token is not feasible\
      Uses:
      * Cloudflare **account email**
      * **Global API Key**
      * **Account ID**
    * Provides **full account-level access**
    * Should only be used if API Token is not feasible
  </Accordion>
</AccordionGroup>

### Required Parameters

| Parameter            | API Token Method | Global API Key Method |
| :------------------- | :--------------- | :-------------------- |
| Authentication Email | ❌ Not required   | ✅ Required            |
| Global API Key       | ❌ Not required   | ✅ Required            |
| API Token            | ✅ Required       | ❌ Not required        |
| Account ID           | ✅ Required       | ✅ Required            |
| Zone ID              | ✅ Required       | ✅ Required            |

<Note>
  Use **API Token method wherever possible** for better security and control.
</Note>

### 🔑 Cloudflare Integration Guide

This guide outlines the process of retrieving key credentials from your Cloudflare dashboard for integration with external tools and APIs.

[Method 1: Generate API Token (Recommended)](https://docs.airmdr.com/Integrations/Cloudflare#method-1-generate-api-token-setup-steps)

[Method 2: Generate Global API Key (Legacy)](https://docs.airmdr.com/Integrations/Cloudflare#method-2-generate-global-api-key-legacy-setup-steps)

### Method 1 - Generate API Token Setup steps

To generate an API Token in the Cloudflare Platform for integrating with AirMDR, follow these steps:

<Steps>
  <Step title="Sign In to Cloudflare">
    1. Go to [Cloudflare](https://dash.cloudflare.com) dashboard.
    2. Enter your login credentials and sign in.
  </Step>

  <Step title="Create API Token" stepNumber={2}>
    1. Click your **profile icon** (top-right).
    2. Navigate to **My Profile → API Tokens.**
    3. Click **Create Token**.
    4. Choose
       * Predefined template \
         (OR)
       * Custom Token
    5. Configure:
       * Token Name
       * Permissions (Zone / Account level)
       * Resources (specific zones or all zones)
    6. Click Continue to summary → Create Token
           <Warning>
             **Token will only be visible once**\
             \
             Copy and securely save the secret API Token in your preferred password manager or secure storage solution.
           </Warning>
  </Step>

  <Step title="Retrieve Cloudflare Account ID">
    1. From the main dashboard, select any of your active domains.
    2. In the left-hand sidebar, scroll down and click **Overview** (if not already selected).
    3. In the right-side panel (under “API” section), locate your **Account ID**.
    4. Click **Copy** to save it.
  </Step>

  <Step title="Retrieve Cloudflare Zone ID (Optional)">
    1. From the **Overview** tab of your selected domain (zone).
    2. Scroll down to the section titled **API** or **Zone ID**.
    3. Locate the **Zone ID** and click **Copy**.
           <Info>
             The **Zone ID** uniquely identifies your domain within Cloudflare.
           </Info>
           <Check>
             Email the **API Token**, **Cloudflare Account ID** and **Cloudflare Zone ID** to AirMDR \
             or \
             Self [configure](https://app.airmdr.com/integrationsv2/8e397252-d4eb-4121-a51c-c6b136c259bd/connections?search=cloud) Cloudflare in the AirMDR Integrations Dashboard.
           </Check>
  </Step>
</Steps>

### Method 2: Generate Global API Key (Legacy) Setup steps

To generate an Global API key in the Cloudflare Platform for integrating with AirMDR, follow these steps:

<Steps>
  <Step title="Sign In to Cloudflare">
    1. Go to [Cloudflare](https://dash.cloudflare.com) dashboard.
    2. Enter your login credentials and sign in.
  </Step>

  <Step title="Retrieve Your Authentication Email" stepNumber={2}>
    <Info>
      Your **authentication email** is the email address you use to log into Cloudflare.\
      \
      It will appear in the top-right corner of the dashboard once you're logged in.

      This email is used along with your API key when authenticating API requests.
    </Info>

    1. Log in to the Cloudflare dashboard.
    2. Click your **profile icon** in the top-right corner.
    3. Open your **profile settings**.
    4. Note the email address associated with the account.
           <Check>
             Use only this value as the **Authentication Email** when AirMDR requires legacy Global API Key authentication
           </Check>
  </Step>

  <Step title="Retrieve the Global API Key (Authentication API Key)">
    1. From the dashboard, click your **profile icon** in the top-right corner.
    2. Select **My Profile** → Go to the **API Tokens** tab.
    3. Under **API Keys** section, locate **Global API Key** and click **View**.
    4. Enter your password to confirm.
    5. Click **Copy** to store the key securely.
           <Note>
             The Global API Key grants full account access.
           </Note>
           <Warning>
             Copy and securely save the secret API key in your preferred password manager or secure storage solution. **Use the Global API Key only if your AirMDR integration specifically requires the legacy authentication model.**
           </Warning>
  </Step>

  <Step title="Retrieve Cloudflare Account ID" stepNumber={4}>
    1. From the main dashboard, select any of your active domains.
    2. In the left-hand sidebar, scroll down and click **Overview** (if not already selected).
    3. In the right-side panel (under “API” section), locate your **Account ID**.
    4. Click **Copy** to save it.
  </Step>

  <Step title="Retrieve Cloudflare Zone ID (Optional)" stepNumber={5}>
    1. From the **Overview** tab of your selected domain (zone).
    2. Scroll down to the section titled **API** or **Zone ID**.
    3. Locate the **Zone ID** and click **Copy**.
           <Info>
             The **Zone ID** uniquely identifies your domain within Cloudflare.
           </Info>
           <Check>
             Email the **Global** **API key, Authentication Email**, **Cloudflare Account ID**, and **Cloudflare Zone ID** to AirMDR \
             or \
             Self [configure](https://app.airmdr.com/integrationsv2/8e397252-d4eb-4121-a51c-c6b136c259bd/connections?search=cloud) Cloudflare in the AirMDR Integrations Dashboard.
           </Check>
  </Step>
</Steps>

<AccordionGroup>
  <Accordion title="UI Path Reference">
    | Credential     | Path                                   |
    | :------------- | :------------------------------------- |
    | API Token      | My Profile → API Tokens → Create Token |
    | Global API Key | My Profile → API Tokens → API Keys     |
    | Account ID     | Account Home → Overview                |
    | Zone ID        | Zone → Overview                        |
  </Accordion>

  <Accordion title="✅ Summary">
    You can integrate Cloudflare with AirMDR using:

    **Recommended:**

    * API Token + Account ID + Zone ID

    **Alternative:**

    * Email + Global API Key + Account ID + Zone ID

    | Credential                          | Description                                          |
    | :---------------------------------- | :--------------------------------------------------- |
    | API Token                           | Used to authenticate API requests                    |
    | Authentication Email                | Your Cloudflare login email                          |
    | Global API Key                      | Used to authenticate API requests                    |
    | Account ID                          | Unique ID for your Cloudflare account                |
    | Zone ID (Optional Requirement only) | Unique ID for each domain (zone) added to Cloudflare |
  </Accordion>

  <Accordion title="Post-Setup Security Best Practices (Optional)">
    * Store credentials in environment variables or secrets managers.
    * Rotate Global API keys/API tokens regularly and revoke unused tokens immediately.
    * **Support**
      * For Cloudflare account and API token issues, refer to Cloudflare API and account documentation. For AirMDR integration issues, contact [AirMDR Support](mailto:support@airmdr.com).
  </Accordion>

  <Accordion title="Error Handling">
    | Error                        | Cause                                    | Resolution                                              |
    | :--------------------------- | :--------------------------------------- | :------------------------------------------------------ |
    | Invalid API Key              | Incorrect Global API Key                 | Recheck the Global API Key in My Profile                |
    | Invalid Authentication Email | Wrong Cloudflare account email           | Confirm the login email used in Cloudflare              |
    | Invalid API Token            | Token expired, revoked, or missing scope | Recreate the token with the correct permissions         |
    | Account ID not found         | Wrong account selected                   | Verify the account from Account Home or Workers & Pages |
    | Zone ID not found            | Wrong zone selected                      | Verify the zone from the Overview page                  |
    | Permission denied            | Token lacks required permissions         | Update token scopes and retry                           |
  </Accordion>

  <Accordion title="Test Cloudflare Authentication">
    ### Sample `cURL` Requests to Test Cloudflare Authentication - with `GLOBAL_API_KEY`

    ```text theme={null}

    curl -X GET "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/audit_logs?per_page=1" \
      -H "X-Auth-Key: {API_KEY}" \
      -H "X-Auth-Email: {AUTH_EMAIL}" \
      -H "Content-Type: application/json"
    ```

    > * `YOUR_ACCOUNT_ID` with your actual Cloudflare Account ID
    > * `YOUR_EMAIL@example.com` with your Cloudflare account email
    > * `YOUR_GLOBAL_API_KEY` with your Global API Key.

    <Accordion title="Sample JSON Response" icon="sparkles">
      ```text theme={null}

      {
          "result": [
              {
                  "action": {
                      "result": true,
                      "type": "login"
                  },
                  "actor": {
                      "email": "example.sample@yourcompany.com",
                      "id": "5b1513f96649e65............",
                      "ip": "46.49.44.187",
                      "type": "user"
                  },
                  "id": "f9276d3e-c9aa-5edd-9e61-.........",
                  "interface": "",
                  "metadata": {},
                  "newValue": "",
                  "newValueJson": {},
                  "oldValue": "",
                  "oldValueJson": {},
                  "owner": {
                      "id": "5b1513f96649e6............."
                  },
                  "resource": {
                      "id": "5b1513f96649e..........",
                      "type": "account"
                  },
                  "when": "2026-03-24T10:15:06Z"
              }
          ],
          "success": true,
          "errors": [],
          "messages": []
      }
      ```
    </Accordion>

    ### Sample `cURL` Requests to Test Cloudflare Authentication - with `API_TOKEN`

    ```text theme={null}
    curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
      -H "Authorization: Bearer {API_TOKEN}" \
      -H "Content-Type: application/json"
    ```

    * `YOUR_API_TOKEN` with your actual Cloudflare API Token

    <Accordion title="Sample JSON Response">
      ```text theme={null}
      {
          "result": {
              "id": "a49de11a..................b",
              "status": "active"
          },
          "success": true,
          "errors": [],
          "messages": [
              {
                  "code": 10000,
                  "message": "This API Token is valid and active",
                  "type": null
              }
          ]
      }
      ```
    </Accordion>
  </Accordion>
</AccordionGroup>

## Skills Provided by this Integration

<Accordion title="Cloudflare Skills — Permission Requirements">
  To ensure proper functionality of Cloudflare integrations in AirMDR, configure permissions based on the **Skills** you intend to use.

  <Note>
    Grant only the minimum required permissions based on the enabled Skills.
  </Note>

  | **Skill Name**                                       | **Access Type**  | **Permissions Required**                                         |
  | :--------------------------------------------------- | :--------------- | :--------------------------------------------------------------- |
  | **Cloudflare Get Account Audit Logs for Detections** | **Read**         | **Audit Logs (Account: Read), Account Settings (Account: Read)** |
  | **Get Cloudflare Audit Logs**                        | **Read**         | **Audit Logs (Account: Read)**                                   |
  | **Get Cloudflare Security Center Insights**          | **Read**         | **Security Insights (Account: Read), Zone WAF (Zone: Read)**     |
  | **List Cloudflare Access Applications**              | **Read**         | **Access: Apps and Policies (Account: Read), Zone (Zone: Read)** |
  | **Get Cloudflare Zone Details**                      | **Read**         | **Zone (Zone: Read), Zone Settings (Zone: Read)**                |
  | **Create Cloudflare Ruleset Rule**                   | **Read + Write** | **Account Rulesets (Account: Edit), Zone WAF (Zone: Edit)**      |

  ### **Summary**

  | **Access Type**  | **Scope**                                                         |
  | :--------------- | :---------------------------------------------------------------- |
  | **Read**         | **Audit Logs, Security Insights, Access Applications, Zone Data** |
  | **Read + Write** | **Ruleset creation and WAF modifications**                        |
</Accordion>

| Skill ID                                             | Purpose                                                                                                                                                                                                                |
| :--------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Get Cloudflare Security Center Insights**          | Fetches security insights from Cloudflare Security Center for accounts or zones.                                                                                                                                       |
| **Get Cloudflare Audit Logs**                        | Fetches audit logs from Cloudflare accounts showing changes and activities.                                                                                                                                            |
| **Cloudflare Get Account Audit Logs for Detections** | This skill retrieves audit logs from Cloudflare for detection purposes. It supports filtering by actor email/IP, time ranges, zones, and pagination to identify security-related activities and configuration changes. |
| **List Cloudflare Access Applications**              | Lists Cloudflare Access applications for accounts or zones with rich filters.                                                                                                                                          |
| **Get Cloudflare Zone Details**                      | Gets Cloudflare zones with optional filters or a specific zone by ID.                                                                                                                                                  |
| **Create Cloudflare Ruleset Rule**                   | Creates a new rule within a Cloudflare ruleset for accounts or zones.                                                                                                                                                  |

<Tip>
  To view the details of Input Parameters and Output for the respective skills

  * Go to [AirMDR → Cloudflare](https://app.airmdr.com/integrationsv2/8e397252-d4eb-4121-a51c-c6b136c259bd/skills?search=cloud) Integration page.
  * Select the **Skills** tab and click on the required listed skills.
</Tip>

## Configure Cloudflare in the AirMDR Integrations Dashboard

1. Navigate to [AirMDR](https://app.airmdr.com/auth/login), provide the credentials, and click **Login**
2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select **Integrations.**
3. Use the search option, enter the keyword "**Cloudflare**", select the **Connections** tab, and click **Add New Connection**.
4. Enter an unique name to the **Instance** (e.g., `your org name-Cloudflare`) and brief **Description** to easily identify the user connection by AirMDR.
5. Enter the generated **Authentication API Key (Global API Key)**, and retrieved **Authentication Email**, **Cloudflare Account ID**, **Cloudflare Zone ID** and Expiry (optional) in the Authentication Details field params, and click **Save.**
